OPRUN-4541,OPRUN-4544: add lifecycle-server for serving FBC catalog lifecycle metadata

[perdasilva]

Summary

• Introduces a new lifecycle-server binary that serves lifecycle metadata from FBC (File-Based Catalog) content via a versioned REST API (GET /api/{version}/lifecycles/{package})
• The server loads lifecycle blobs at startup into an in-memory index, serves them over HTTPS with Kubernetes authn/authz, and exposes /healthz and /readyz endpoints
• Fails fast on FBC load errors and duplicate lifecycle blobs to prevent starting in a degraded or inconsistent state
• Hardens both API and health servers with connection timeouts (ReadHeaderTimeout, ReadTimeout, WriteTimeout, IdleTimeout)
• Includes Dockerfile and Makefile changes for build
• Updates library-go to remove cipher suites no longer supported by Go's crypto/tls (DHE-RSA suites, SHA384 CBC suites, ECDHE-RSA-DES-CBC3-SHA), which the lifecycle-server's TLS configuration depends on via crypto.TLSVersion() and crypto.CipherSuite()
• e2es will come in a follow-up PR that adds the lifecycle-controller

Key Components

• cmd/lifecycle-server/ — CLI entrypoint with TLS cert hot-reload, graceful shutdown, health/readiness probes, connection timeout hardening
• pkg/lifecycle-server/ — FBC loading/indexing (fbc.go), HTTP API handler and health handler (server.go)

Test plan

• Unit tests for schema version regex matching (TestSchemaVersionRegex)
• Unit tests for FBC loading edge cases: missing path, empty dir, mixed schemas, corrupted files, subdirectories, duplicates (TestLoadLifecycleData, TestLoadLifecycleData_Subdirectory)
• Unit tests for API handler: status codes, content types, method enforcement, nil/empty data, concurrent requests, byte-for-byte blob fidelity (TestNewHandler*)
• Unit tests for health/readiness endpoints: healthz always 200, readyz 503 when empty/nil, readyz 200 when loaded (TestNewHealthHandler)
• go build ./cmd/lifecycle-server/... succeeds
• go test ./pkg/lifecycle-server/... passes
• go mod verify clean

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added a new lifecycle-server with TLS-secured API endpoints and unauthenticated health endpoints to serve lifecycle data by version and package.
  • Introduced in-memory indexing of lifecycle catalog blobs with version/package lookup and readiness semantics.

• Chores

  • Build and runtime packaging updated to include the lifecycle-server binary and promote related dependencies.

• Tests

  • Extensive unit tests for catalog loading, indexing, HTTP handlers, concurrency, and health/readiness behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 512a55bb-7bb5-4688-8b5a-13dac7dff49c

📥 Commits

Reviewing files that changed from the base of the PR and between d12eea3 and 3da12b3.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

• Makefile
• cmd/lifecycle-server/main.go
• cmd/lifecycle-server/start.go
• go.mod
• operator-lifecycle-manager.Dockerfile
• pkg/lifecycle-server/fbc.go
• pkg/lifecycle-server/fbc_test.go
• pkg/lifecycle-server/server.go
• pkg/lifecycle-server/server_test.go

✅ Files skipped from review due to trivial changes (2)

• operator-lifecycle-manager.Dockerfile
• cmd/lifecycle-server/main.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/lifecycle-server/server_test.go
• Makefile
• pkg/lifecycle-server/fbc_test.go
• cmd/lifecycle-server/start.go

---

Walkthrough

Adds a new lifecycle-server binary and CLI that loads Filesystem-based Catalog (FBC) JSON blobs, indexes them by schema-version and package, and serves them over HTTPS with health endpoints, TLS reloading, authn/authz wiring, tests, build rules, and container image inclusion.

Changes

lifecycle-server: load → serve → ship

Layer / File(s)	Summary
Data Shape / Indexing pkg/lifecycle-server/fbc.go	Adds LifecycleIndex (map[string]map[string]json.RawMessage), schemaVersionRegex, and LoadLifecycleData(fbcPath, log) that walks FBC JSON metas, filters by schema regex and non-empty package, indexes blobs, and errors on duplicate version+package.
Core HTTP Behavior pkg/lifecycle-server/server.go	Adds NewHandler(data, log) serving GET /api/{version}/lifecycles/{package} returning stored raw JSON or 503/404 as appropriate, and NewHealthHandler(data) serving /healthz and /readyz readiness based on index emptiness.
CLI / TLS / Runtime cmd/lifecycle-server/start.go, cmd/lifecycle-server/main.go	Implements Cobra CLI with start subcommand; parses TLS flags (including min-version and cipher suites), builds TLS config with certificate reload via GetCertificate, loads lifecycle data, composes authn/authz filters and handlers, and runs TLS API and non-TLS health servers concurrently with graceful shutdown (cancelableServer).
Build, Packaging & Tests Wiring Makefile, operator-lifecycle-manager.Dockerfile, go.mod, cmd/lifecycle-server/main.go	Makefile: introduces LIFECYCLE_SERVER_CMD, build rule and unit/lifecycle-server test target; Dockerfile: copy bin/lifecycle-server into runtime image; go.mod: promotes/updates library dependencies.
Unit / Integration Tests pkg/lifecycle-server/fbc_test.go, pkg/lifecycle-server/server_test.go	Adds comprehensive tests for schema regex, FBC loading behavior (skips/duplicates/errors/subdirectories), LifecycleIndex helpers, handler behavior (status codes, byte-for-byte blob returns, concurrency), and health endpoints.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as "lifecycle-server CLI"
    participant FS as "FBC Filesystem"
    participant K8s as "Kubernetes (REST Client / Auth)"
    participant Index as "LifecycleIndex"
    participant Handler as "HTTP Handlers"
    participant APISrv as "API Server (TLS)"
    participant HealthSrv as "Health Server"

    CLI->>FS: LoadLifecycleData(fbcPath)
    FS-->>Index: LifecycleIndex (version→package→blob)
    CLI->>K8s: Build REST client and authn/authz filter
    CLI->>Handler: NewHandler(Index, log)
    CLI->>Handler: NewHealthHandler(Index)
    CLI->>APISrv: Start TLS API server (uses TLSConfig with GetCertificate)
    CLI->>HealthSrv: Start health server (no TLS)
    Note right of APISrv: Serve GET /api/{version}/lifecycles/{package}
    Note right of HealthSrv: Serve /healthz and /readyz
    CLI->>CLI: Wait for cancellation signal
    CLI->>APISrv: Shutdown with timeout
    CLI->>HealthSrv: Shutdown with timeout

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	The lifecycle-server binary uses klog.NewKlogr() which writes to stdout by default without redirection to stderr, violating the OTE Binary Stdout Contract requiring JSON-only output.	Add klog.LogToStderr(true) in an init() function or at the beginning of run() before any logging occurs to redirect klog output to stderr.
Docstring Coverage	⚠️ Warning	Docstring coverage is 36.84% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main addition: a new lifecycle-server binary for serving FBC catalog lifecycle metadata, which aligns with the core changes across cmd/ and pkg/ directories.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test files use standard Go testing framework with stable, deterministic test names; Ginkgo framework not used.
Test Structure And Quality	✅ Passed	PR uses standard Go testing framework with table-driven tests and testify/require assertions instead of Ginkgo tests, making this Ginkgo-focused check not applicable.
Microshift Test Compatibility	✅ Passed	This PR contains only standard Go unit tests using the testing package, not Ginkgo e2e tests. The custom check targets Ginkgo e2e test compatibility with MicroShift, which is not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The test files added are standard Go unit tests using the testing package and testify/require assertions, not Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces lifecycle-server binary and Go packages without deployment manifests or scheduling constraints incompatible with OpenShift topologies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (fbc_test.go, server_test.go) using testing.T and testify, not Ginkgo e2e tests. Unit tests are isolated and do not assume IPv4 networking or require external connectivity.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 8/10 reviews remaining, refill in 9 minutes and 14 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Introduces a new lifecycle-server binary that serves lifecycle metadata from FBC (File-Based Catalog) content via a versioned REST API (GET /api/{version}/lifecycles/{package})
• The server loads lifecycle blobs at startup into an in-memory index, serves them over HTTPS with Kubernetes authn/authz, and exposes /healthz and /readyz endpoints
• Includes RBAC (gated behind TechPreviewNoUpgrade), Dockerfile, Makefile, and manifest changes for build and deployment
• Simplifies CRD generation to copy upstream CRDs directly instead of regenerating with controller-gen
• Updates library-go dependency

Key Components

• cmd/lifecycle-server/ — CLI entrypoint with TLS cert hot-reload, graceful shutdown, health/readiness probes
• pkg/lifecycle-server/ — FBC loading/indexing (fbc.go), HTTP API handler and health handler (server.go)
• manifests/ and microshift-manifests/ — ClusterRole RBAC for authn/authz token reviews
• scripts/generate_crds_manifests.sh — simplified to copy upstream CRDs directly

Test plan

• Unit tests for schema version regex matching (TestSchemaVersionRegex)
• Unit tests for FBC loading edge cases: missing path, empty dir, mixed schemas, corrupted files, subdirectories (TestLoadLifecycleData, TestLoadLifecycleData_Subdirectory)
• Unit tests for API handler: status codes, content types, method enforcement, nil/empty data, concurrent requests, byte-for-byte blob fidelity (TestNewHandler*)
• Unit tests for health/readiness endpoints: healthz always 200, readyz 503 when empty/nil, readyz 200 when loaded (TestNewHealthHandler)
• go build ./cmd/lifecycle-server/... succeeds
• go test ./pkg/lifecycle-server/... passes
• go mod verify clean

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/lifecycle-server/start.go`:
- Around line 127-131: The code currently swallows a hard error from
server.LoadLifecycleData by logging and replacing data with an empty
server.LifecycleIndex, which masks startup failures; instead, when
server.LoadLifecycleData returns a non-nil err, fail fast: log the error with
context and terminate startup (e.g., return the error or call os.Exit/ctrl-c
handler) so the process does not start in a degraded state. Update the block
around server.LoadLifecycleData(fbcPath, log) to propagate/terminate on error
rather than assigning an empty data map, keeping successful return handling
unchanged.
- Around line 151-164: Add explicit connection timeouts to both http.Server
instances to harden against slow clients: in the primary server literal (the
&http.Server{ Addr: listenAddr, Handler: apiHandler, TLSConfig: tlsConfig, ...
}) and in the healthServer inside cancelableServer, set at minimum
ReadHeaderTimeout (e.g. a few seconds) and also add sensible ReadTimeout,
WriteTimeout and IdleTimeout values; update those &http.Server initializers
rather than leaving defaults so both the main server and healthServer enforce
timeouts.

In `@pkg/lifecycle-server/fbc.go`:
- Around line 73-79: Detect and fail on duplicate lifecycle blobs instead of
overwriting: inside the critical section guarded by mu (around result,
schemaVersion, meta.Package), check whether result[schemaVersion][meta.Package]
already exists before assigning meta.Blob; if it does, return or propagate a
clear error (e.g., fmt.Errorf("duplicate lifecycle blob for schemaVersion %s
package %s", schemaVersion, meta.Package)) so the caller can fail fast rather
than silently overwrite, otherwise create the map as now and assign meta.Blob.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 777c8237-1587-42b8-a3fa-f723f3d61d06

📥 Commits

Reviewing files that changed from the base of the PR and between 122728c and 5e0ca42.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (29)

• Makefile
• cmd/lifecycle-server/main.go
• cmd/lifecycle-server/start.go
• go.mod
• manifests/0000_50_olm_00-catalogsources.crd.yaml
• manifests/0000_50_olm_00-clusterserviceversions.crd.yaml
• manifests/0000_50_olm_00-installplans.crd.yaml
• manifests/0000_50_olm_00-olmconfigs.crd.yaml
• manifests/0000_50_olm_00-operatorconditions.crd.yaml
• manifests/0000_50_olm_00-operatorgroups.crd.yaml
• manifests/0000_50_olm_00-operators.crd.yaml
• manifests/0000_50_olm_00-subscriptions.crd.yaml
• manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/0000_50_olm_00-catalogsources.crd.yaml
• microshift-manifests/0000_50_olm_00-clusterserviceversions.crd.yaml
• microshift-manifests/0000_50_olm_00-installplans.crd.yaml
• microshift-manifests/0000_50_olm_00-olmconfigs.crd.yaml
• microshift-manifests/0000_50_olm_00-operatorconditions.crd.yaml
• microshift-manifests/0000_50_olm_00-operatorgroups.crd.yaml
• microshift-manifests/0000_50_olm_00-operators.crd.yaml
• microshift-manifests/0000_50_olm_00-subscriptions.crd.yaml
• microshift-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/kustomization.yaml
• operator-lifecycle-manager.Dockerfile
• pkg/lifecycle-server/fbc.go
• pkg/lifecycle-server/fbc_test.go
• pkg/lifecycle-server/server.go
• pkg/lifecycle-server/server_test.go
• scripts/generate_crds_manifests.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/lifecycle-server/fbc_test.go`:
- Around line 129-134: The test cases titled "non-existent path returns empty
index" (around the shown diff) and the corrupted-JSON case (lines ~253-277) must
be updated to reflect the fail-fast FBC contract: instead of asserting an empty
LifecycleIndex, call the loader entrypoint used in tests (the test harness that
invokes the FBC loader, e.g., LoadFBC/LoadLifecycleIndex or the test helper that
calls NewLifecycleLoader) and assert it returns an error (or panics/fails) for
missing catalog paths and for corrupted JSON; update the test names/expectations
accordingly (replace expectedIndex: LifecycleIndex{} with an assertion that the
loader returned a non-nil error) so the tests fail when FBC load errors occur at
startup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: daff8487-c31b-441f-8d4a-e897a380e513

📥 Commits

Reviewing files that changed from the base of the PR and between 80575fd and c95b32e.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

• Makefile
• cmd/lifecycle-server/main.go
• cmd/lifecycle-server/start.go
• go.mod
• manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/kustomization.yaml
• operator-lifecycle-manager.Dockerfile
• pkg/lifecycle-server/fbc.go
• pkg/lifecycle-server/fbc_test.go
• pkg/lifecycle-server/server.go
• pkg/lifecycle-server/server_test.go
• scripts/generate_crds_manifests.sh

✅ Files skipped from review due to trivial changes (3)

• operator-lifecycle-manager.Dockerfile
• microshift-manifests/kustomization.yaml
• microshift-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• Makefile
• pkg/lifecycle-server/server.go
• go.mod
• pkg/lifecycle-server/fbc.go
• cmd/lifecycle-server/start.go

[perdasilva]

Given that it might be a frequent thing that a catalog does not carry lifecycle metadata, do we want to 503 on /readyz when there's no data?

[fgiudici]

Like the idea to get a not 200 HTTP code when no data!
Regarding which code to use, aren't 50x HTTP codes to mean Server errors? 🤔
In this case wouldn't be more appropriate something like 403 (Not Found)?
I have no strong opinions btw.

[perdasilva]

/jira refresh

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

/jira refresh

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/generate_crds_manifests.sh`:
- Around line 556-571: The manifest creates a ClusterRole named
operator-lifecycle-manager-lifecycle-server but never binds it; add a
ClusterRoleBinding that references this ClusterRole (roleRef.name:
operator-lifecycle-manager-lifecycle-server) and includes a subject of kind
ServiceAccount with the lifecycle-server service account name and its namespace
(the same service account used by the lifecycle-server deployment). Name the
binding clearly (e.g., operator-lifecycle-manager-lifecycle-server-binding) so
the lifecycle-server can perform TokenReview and SubjectAccessReview operations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5973e75c-fb97-4047-9632-8710b5a25ca8

📥 Commits

Reviewing files that changed from the base of the PR and between 4c24bd3 and a44464c.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

• Makefile
• cmd/lifecycle-server/main.go
• cmd/lifecycle-server/start.go
• go.mod
• manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• microshift-manifests/kustomization.yaml
• operator-lifecycle-manager.Dockerfile
• pkg/lifecycle-server/fbc.go
• pkg/lifecycle-server/fbc_test.go
• pkg/lifecycle-server/server.go
• pkg/lifecycle-server/server_test.go
• scripts/generate_crds_manifests.sh

✅ Files skipped from review due to trivial changes (8)

• operator-lifecycle-manager.Dockerfile
• cmd/lifecycle-server/main.go
• microshift-manifests/kustomization.yaml
• manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• Makefile
• pkg/lifecycle-server/server_test.go
• pkg/lifecycle-server/fbc.go
• pkg/lifecycle-server/fbc_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• microshift-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml
• go.mod

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

This pull request references OPRUN-4444 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Introduces a new lifecycle-server binary that serves lifecycle metadata from FBC (File-Based Catalog) content via a versioned REST API (GET /api/{version}/lifecycles/{package})
• The server loads lifecycle blobs at startup into an in-memory index, serves them over HTTPS with Kubernetes authn/authz, and exposes /healthz and /readyz endpoints
• Fails fast on FBC load errors and duplicate lifecycle blobs to prevent starting in a degraded or inconsistent state
• Hardens both API and health servers with connection timeouts (ReadHeaderTimeout, ReadTimeout, WriteTimeout, IdleTimeout)
• Includes Dockerfile and Makefile changes for build
• Updates library-go to remove cipher suites no longer supported by Go's crypto/tls (DHE-RSA suites, SHA384 CBC suites, ECDHE-RSA-DES-CBC3-SHA), which the lifecycle-server's TLS configuration depends on via crypto.TLSVersion() and crypto.CipherSuite()
• e2es will come in a follow-up PR that adds the lifecycle-controller

Key Components

• cmd/lifecycle-server/ — CLI entrypoint with TLS cert hot-reload, graceful shutdown, health/readiness probes, connection timeout hardening
• pkg/lifecycle-server/ — FBC loading/indexing (fbc.go), HTTP API handler and health handler (server.go)

Test plan

• Unit tests for schema version regex matching (TestSchemaVersionRegex)
• Unit tests for FBC loading edge cases: missing path, empty dir, mixed schemas, corrupted files, subdirectories, duplicates (TestLoadLifecycleData, TestLoadLifecycleData_Subdirectory)
• Unit tests for API handler: status codes, content types, method enforcement, nil/empty data, concurrent requests, byte-for-byte blob fidelity (TestNewHandler*)
• Unit tests for health/readiness endpoints: healthz always 200, readyz 503 when empty/nil, readyz 200 when loaded (TestNewHealthHandler)
• go build ./cmd/lifecycle-server/... succeeds
• go test ./pkg/lifecycle-server/... passes
• go mod verify clean

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

/jira refresh

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

This pull request references OPRUN-4444 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4541 which is a valid jira issue.

This pull request references OPRUN-4544 which is a valid jira issue.

Details

In response to this:

Summary

• Introduces a new lifecycle-server binary that serves lifecycle metadata from FBC (File-Based Catalog) content via a versioned REST API (GET /api/{version}/lifecycles/{package})
• The server loads lifecycle blobs at startup into an in-memory index, serves them over HTTPS with Kubernetes authn/authz, and exposes /healthz and /readyz endpoints
• Fails fast on FBC load errors and duplicate lifecycle blobs to prevent starting in a degraded or inconsistent state
• Hardens both API and health servers with connection timeouts (ReadHeaderTimeout, ReadTimeout, WriteTimeout, IdleTimeout)
• Includes Dockerfile and Makefile changes for build
• Updates library-go to remove cipher suites no longer supported by Go's crypto/tls (DHE-RSA suites, SHA384 CBC suites, ECDHE-RSA-DES-CBC3-SHA), which the lifecycle-server's TLS configuration depends on via crypto.TLSVersion() and crypto.CipherSuite()
• e2es will come in a follow-up PR that adds the lifecycle-controller

Key Components

• cmd/lifecycle-server/ — CLI entrypoint with TLS cert hot-reload, graceful shutdown, health/readiness probes, connection timeout hardening
• pkg/lifecycle-server/ — FBC loading/indexing (fbc.go), HTTP API handler and health handler (server.go)

Test plan

• Unit tests for schema version regex matching (TestSchemaVersionRegex)
• Unit tests for FBC loading edge cases: missing path, empty dir, mixed schemas, corrupted files, subdirectories, duplicates (TestLoadLifecycleData, TestLoadLifecycleData_Subdirectory)
• Unit tests for API handler: status codes, content types, method enforcement, nil/empty data, concurrent requests, byte-for-byte blob fidelity (TestNewHandler*)
• Unit tests for health/readiness endpoints: healthz always 200, readyz 503 when empty/nil, readyz 200 when loaded (TestNewHealthHandler)
• go build ./cmd/lifecycle-server/... succeeds
• go test ./pkg/lifecycle-server/... passes
• go mod verify clean

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[perdasilva]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[fgiudici]

just found a couple of nits
Overall looks great! 🚀

[fgiudici]

/lgtm

[fgiudici]

/lgtm

[fgiudici]

/lgtm

[openshift-ci]

@perdasilva: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-upgrade	3da12b3	link	true	/test e2e-upgrade
ci/prow/e2e-aws-upgrade-ovn-single-node	3da12b3	link	false	/test e2e-aws-upgrade-ovn-single-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.